#asknostr
How do you prove that a running server/service runs on a certain commit?
In a verifyable manner not requiring trust. Like believing that the written commit hash on the page footer is really the correct commit hash?
#grownostr #dev #service
Discussion
Verifying downloaded source code app with the signature of the creator is easy.
But do we have a method to verify running services? In a proven way?
#asknostr #nostr
From an external view, you can't. If you have access to the binaries, you could compile the source at the stated commit and compare the result with the running ones.
It's an ongoing area of research called remote attestation.